By security practitioners, for security practitioners innovate | novacoast federal | novaSOC | novacoast
By security practitioners, for security practitioners

The Return of Emotet Malware

The infamous botnet and malware known as Emotet is making a rise from the ashes in a new, more advanced form after last year’s government takedown of its operators.

While the return of malicious threat actors (sometimes with new names) is common, the return of Emotet malware only 10 months after a takedown has cybersecurity operations on alert.

In 2014, the Mealybug group’s Emotet malware began its malicious journey as a banking trojan. Often weaponized with worm capabilities, it was first uncovered by threat analyst Joie Savio. Since then, we’ve witnessed it learn new tricks and morph into many things on its malicious journey to becoming part of the gang’s Malware-as-a-Service crimeware ring selling its services to cybercrime gangs such as Ryuk.

Over time, this botnet earned its reputation as being a very dangerous threat to multiple industries, and now a resurgent Emotet version is spreading again.

Emotet Malware’s Resurgence 

In early 2021, activity from Emotet dropped off after Eurojust, Europol, and international partners executed a takedown of the malware, arresting several Ukrainian nationals responsible for its supporting infrastructure.

A late 2021 report from security researcher Luca Ebach describes how Emotet is leveraging the infamous TrickBot malware as an entry point to spread a newer version of itself on previously-infected systems.

It has since spread across 179 nations infecting roughly 130,000 systems. While this is nothing compared to its previous record of infections, it is a testament to its disturbing resilience.

Since November, analysts and threat hunting teams have been busy tracking Emotet’s new tricks and movement. This resurgence comes with many new TTPs that all organizations should be prepared against.

Methods of Infection

The pretext that Emotet most recently leverages is an IRS-branded phishing campaign. The emails masquerade as the IRS, sending the recipient their 2021 Tax Return, W-9s, or other tax documents that are usually needed during the tax season.

Historically, Emotet has been known to imitate familiar brands such as PayPal and DHL to appear authentic to recipients. Using the IRS brand during tax season is merely another well-timed opportunity for the malware group.

Generally, the Emotet malware is spread using attached Word or Excel documents containing malicious macros. If the recipient opens them, they will be tricked into enabling the macros that will download the Emotet malware onto the computer. While Emotet mainly uses Excel spreadsheets attached to its email campaigns, it has also been observed leveraging password-protected zip archives.

While Emotet has employed cloud storage links in the past, the use of OneDrive URLs is a new addition. The URLs link to hosted zipped Microsoft Excel Add-in (XLL) files which, when unzipped, can execute the same as macros to infect the target. The difference is that many organizations disable VBA macros by default. Microsoft even recently announced it would make this the default behavior of Office apps.

In a version of the infection that uses macros, Emotet will display a fake Microsoft 365 prompt stating “THIS DOCUMENT IS PROTECTED,” and instructs target users on how to enable macros.

By using malspam the Emotet malware propagates, leveraging several classic methods such as malicious scripts, phishing links, or macro-enabled files.

In December 2021, an Emotet phishing campaign including links to install a fake Adobe Windows app was observed by analysts. Then, after a brief holiday, the threat actor returned to attachment-based phishing campaigns.

Emotet Malware’s Target Victims

Since its resurgence in November, the malware ranks 7th on the Infosec Institute’s malware list.

Emotet threat actors are targeting education, communication, government, healthcare, financial, and most recently, automotive sectors. Basically, everyone.

Security firms are issuing alerts that several auto manufacturers are infected with Emotet, which is often used as an infection vector to drop ransomware.

What’s New About Emotet Malware?

When Emotet botnet infrastructure was taken down in January 2021, its main operation was delivering dangerous malware such as Trickbot, Ryuk ransomware, and others.

Since its return, there are new upgrades in the mix. For example, it uses Elliptic curve cryptography which improves the control flow flattening method of detection avoidance. It uses Windows application installer packages that imitate legitimate software. As one of its new payloads in current campaigns it installs Cobalt Strike Beacons.

Emotet malware now uses an evolved execution chain where recent changes include a switch from the .exe file of the Emotet binary to a .dll file. The .dll is loaded using the Rundll32 process and has added fake error messages that weaponize Microsoft Office documents.

Elliptic Curve Cryptography (ECC) replaces the RSA encryption Emotet used for validation and network traffic protection.

After a connection with a C2 server has been established, the new Emotet version installs a process list module. Its enhanced info-gathering capabilities now allow for better target system profiling. Previously, Emotet was limited in which information it gathered and could only send back a list of running processes.

MITRE ATT&CK Emotet Mapping

MITRE ATT&CK is recognized as a globally accessible knowledge base of adversary tactics and techniques based on real-world observations by threat hunters and cybersecurity analysts. Cybersecurity analysts and threat hunters rely on the ATT&CK framework to map out APTs and malicious threats to improve detection in their systems.

Current ATT&CK mapping for Emotet malware includes the following tactics and techniques:

TacticTechnique
T1010Application Window Discovery
T1012Query Registry
T1018Remote System Discovery
T1055Process Injection
 T1036Masquerading
T1057Process Discovery
T1082System Information Discovery
T1083File and Directory Discovery
T1518Security Software Discovery
T1547LSASS Driver
T1218Rundll32
T1562Disable or Modify Tools
T1564Hidden Files and Directories

Indicators of Compromise (IOCs)

IOCs for the Emotet malware as of February 2022:

IOCNotes
c7574aac7583a5bdc446f813b8e347a768a9f4af858404371eae82ad2d136a01Reference sample
http://23.246.204.126:443
http://149.56.163.161:8080
http://212.237.5.209:443
http://159.89.230.105:443
http://178.63.25.185:443
http://104.251.214.46:8080
http://195.154.133.20:443
http://217.182.143.207:443
http://103.75.201.4:443
http://162.243.175.63:443
http://173.212.193.249:8080
http://138.185.72.26:8080
http://107.182.225.142:8080
http://45.118.115.99:8080
http://46.55.222.11:443
http://212.237.56.116:7080
http://178.79.147.66:8080
http://160.16.102.168:80
http://212.237.17.99:8080
http://51.38.71.0:443
http://207.38.84.195:8080
http://212.24.98.99:8080
http://110.232.117.186:8080
http://159.8.59.82:8080
http://131.100.24.231:80
http://58.227.42.236:80
http://164.68.99.3:8080
http://103.75.201.2:443
http://41.76.108.46:8080
http://162.214.50.39:7080
http://50.116.54.215:443
http://203.114.109.124:443
http://45.142.114.231:8080
http://192.254.71.210:443
http://185.157.82.211:8080
http://45.118.135.203:7080
http://129.232.188.93:443
http://45.176.232.124:443
http://79.172.212.216:8080
http://158.69.222.101:443
http://144.76.186.49:8080
http://200.17.134.35:7080
http://176.104.106.96:8080
http://81.0.236.90:443
http://216.158.226.206:443

Configured C2s [Source: Github]
—–BEGIN PUBLIC KEY—– MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQF90tsTY3Aw9HwZ6N9y5+be9Xoov pqHyD6F5DRTl9THosAoePIs/e5AdJiYxhmV8Gq3Zw1ysSPBghxjZdDxY+Q==
—–END PUBLIC KEY—–  

—–BEGIN PUBLIC KEY—– MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE86M1tQ4uK/Q1Vs0KTCk+fPEQ3cuw TyCz+gIgzky2DB5Elr60DubJW5q9Tr2dj8/gEFs0TIIEJgLTuqzx+58sdg==
—–END PUBLIC KEY—–
ECDH & ECDSA Key
—–BEGIN PUBLIC KEY—– MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2DWT12OLUMXfzeFp+bE2AJubVDsW NqJdRC6yODDYRzYuuNL0i2rI2Ex6RUQaBvqPOL7a+wCWnIQszh42gCRQlg==
—–END PUBLIC KEY—–  

—–BEGIN PUBLIC KEY—– MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9C8agzYaJ1GMJPLKqOyFrlJZUXVI lAZwAnOq6JrEKHtWCQ+8CHuAIXqmKH6WRbnDw1wmdM/YvqKFH36nqC2VNA==
—–END PUBLIC KEY—–
ECDH & ECDSA Key
015a96c0567c86af8c15b3fe4e19098ae9d0ea583e6bc0bb71c344fc993a26cfSpam Attachment
https://evgeniys[.]ru/sap-logs/D6/
http://crownadvertising[.]ca/wp-includes/OxiAACCoic/
https://cars-taxonomy.mywebartist[.]eu/-/BPCahsAFjwF/
http://immoinvest.com[.]br/blog_old/wp-admin/luoT/
https://yoho[.]love/wp-content/e4laFBDXIvYT6O/
https://www.168801[.]xyz/wp-content/6J3CV4meLxvZP/
https://www.pasionportufuturo[.]pe/wp-content/XUBS/
Malicious URLs used in spam campaign, embedded inside “.docm” or “.xlsm” files
24a0d4ab862f7adfb3a59d81b3096229 2ea9293ff4ef17d5d2bc8528ca4cb37b 450803fe0d4f4393a26f33a33e07211d 4c025e6e88af450fa1cd3c6bf16a3567 99bcf92960b2a51843296d60eaf643b8 b4ed654f710c8eb94f4d3be0c237289d d6602d41a0f75503c9e4123b09da6fc0 ea64dbb2e0d26fafb0b367c3a8c2703fEmotet Payload File Hashes
http://actividades.laforetlanguages.com/wp-admin/BlkdOKDXL/
http://sbcopylive.com.br/rjuz/w/
https://trasix.com/wp-admin/y5Aa1jt0Sp2Qk/
https://www.parkinsons.co.in/abc/Y6Y0fTbUEg6/
https://biz.merlin.ua/wp-admin/W6agtFSRZGt371dV/
http://bruckevn.site/3yztzzvh/nmY4wZfbYL/
https://pardiskood.com/wp-content/NR/
https://daujimaharajmandir.org/wp-includes/63De/
https://datasits.com/wp-includes/Zkj4QO/
https://anugerahmasinternasional.co.id/wp-admin/SJbxE5I/
https://atmedic.cl/sistemas/3ZbsUAU/
https://anwaralbasateen.com/Fox-C404/mDHkfgebMRzmGKBy/
Emotet payload download URLs
anugerahmasinternasional.co.id
anwaralbasateen.com
atmedic.cl
bruckevn.site
datasits.com
daujimaharajmandir.org
laforetlanguages.com
merlin.ua
pardiskood.com
parkinsons.co.in
sbcopylive.com.br
trasix.com
Emotet payload download URLs
admin@unitanker.co.za
ctannous@samextg.com
info@carrozzeriabonfanti.net
iqbal@foresight.com.my
kkyasima.eg@kkyasima.jp
kurtulus@kaledenetim.com.tr
moksud@fourhgroup.com
shivam@geeken.co.in
tenken@tenryu-kensetsu.jp
william@starplastics.com.my
Observed Senders
2b8055ca8b0f93226b13f15ca83adf41
c21dc4862bb7ea6ae402460196879906
e20a84c502004bfdaf94c6e356595907
XLS maldoc files hashes
C:\Windows\system32\cmd.exe /c “”C:\Sandbox\analyst\DefaultBox\user\all\jledshf.bat” “

“C:\Windows\System32\cmd.exe” /c start /B c:\windows\syswow64\rundll32.exe c:\programdata\vbkwk.dll,dfsgeresd
Captured by CMDWatcher after enabling macros
jledshf.bat   (found in C:\Users\all\)
e869dd1a602a7f0cbbefb7a018cd1253 (found in C:\Users\all\)
wetidjks.vbs
dd3db5e3dfe696a3de4220f803efe671
Embedded dropped files

Renewed Vigilance for Emotet

Emotet is currently very active since its resurgence and changes its tactics and techniques rapidly to avoid detection. Be aware that the new strain has new multiple stages, different file types, changed deployment methods, and obfuscated scripts that all are used before Emotet even gets to its final payload.

Organizations seeking to build a robust defense for the new Emotet should be aware of its revised techniques and update any detections previously put in place.

Previous Post

Weekly Top Ten Cybersecurity Stories – 4.22.2022

Next Post

Weekly Top Ten Cybersecurity Stories – 4.29.2022

Innovate uses cookies to give you the best online experience. If you continue to use this site, you agree to the use of cookies. Please see our privacy policy for details.